Table of Contents

Postfix

We chose Postfix due to its modern design and security record. It also has a license that we can live with more easily than qmail.

We generally configure Postfix in one of 2 configurations: outbound only, and outbound plus inbound. Outbound only is pretty simple; inbound configuration is quite a bit more complex.

Prerequisites

Be sure that the "Firewall" procedure has been completed. Several ports will need to be open for testing inbound email.

Debian comes with Exim 4 installed. We'll need to remove that, so we can replace it with Postfix. It's best to remove it before-hand, so that we can reliably remove all the associated configurations files:

sudoapt-get purge'exim4*'

Installation

Install the package:

sudoapt-get install postfix

You will (probably) be presented with some warnings and instructions in text menus. Hit OK after reading the instructions. Select No Configuration when prompted for the type of configuration – we'll configure everything manually.

Basic Configuration

Tell the SMTP server what domains to accept email for. (Do NOT list any VIRTUAL domains here. The distinguishing feature of non-virtual domains is that any real user ID that exists on the box – or is listed in the aliases file – is a valid address in the domain; the valid addresses in a virtual domain have to be explicitly listed in the virtual alias map.) For outbound-only systems, we only want to list "localhost" and "$myhostname":

sudo postconf -e'mydestination=localhost, $myhostname'

Add our domain name to any addresses that are not specified:

sudo postconf -e'myorigin=$mydomain'

Denote which systems can send outbound email (without having to authenticate). We also include a separate file to list any additional IPs that are allowed to relay through us. See the Relay section below.

sudosh-c'cat > /etc/postfix/mynetworks'<< 'EOD'
# These IPs are allowed to relay through our SMTP servers.
# NOTE: The 2nd field is not used, but you'll get warnings from postmap if you leave it out.
EODsudo postmap /etc/postfix/mynetworks

Set what the SMTP server should say when a client connects. We keep the version info out, for security reasons:

sudo postconf -e'smtpd_banner=$myhostname ESMTP $mail_name'

Set the mail aliases file. (Note that the aliases file is special in 3 ways: it exists outside the /etc/postfix directory for historical reasons; it uses a colon (':') to separate the left side from the right; and you use the newaliases command after updating it, instead of the postmap command.)

Allow email addressed to 'username+foo', so the user can have multiple virtual sub-addresses:

sudo postconf -e'recipient_delimiter=+'

For outbound-only email servers, we want the SMTP server listen only on the localhost interface:

sudo postconf -e'inet_interfaces=127.0.0.1'

The Mailman documentation recommends the following setting. It ensures that emails to unknown local addresses will generate a permanent error, not a transient error in which the client will keep re-trying.

sudo postconf -e'unknown_local_recipient_reject_code=550'

Startup Postfix

First check to ensure that the configuration files are valid. (If it returns without printing anything, then the configuration is valid.)

sudo postfix check

Make sure that there's an /etc/aliases.db file:

sudo newaliases

Start the Postfix daemons:

sudo/etc/init.d/postfix start

To make sure the daemons are running, you can check the process table:

ps auxw |grep postfix

This should show the 3 daemon processes. It should look something like this: